Bypass UAC Using SilentCleanup Task

calendar Feb 12, 2024 · attack.privilege_escalation attack.defense_evasion attack.t1548.002  ·
Share on: linkedin copy

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Sigma rule (View on GitHub)

 1title: Bypass UAC Using SilentCleanup Task
 2id: 724ea201-6514-4f38-9739-e5973c34f49a
 3status: test
 4description: |
 5    Detects the setting of the environement variable "windir" to a non default value.
 6    Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
 7    The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
10    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
11    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
12author: frack113, Nextron Systems
13date: 2022/01/06
14modified: 2024/01/30
15tags:
16    - attack.privilege_escalation
17    - attack.defense_evasion
18    - attack.t1548.002
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        TargetObject|endswith: '\Environment\windir'
25    filter_main_default:
26        Details: '%SystemRoot%'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top